Six Things You Didn't Know About Firefox Extensions

Q&A with Mike Shaver, Mozilla Technology Strategist

August 18, 2006

By
Jem Matzan

To many, a Firefox extension is more magic than technology, and the process by which it is developed and used is shrouded in mystery. To find out more about Firefox extensions and their capabilities, we asked some extension-related questions of the Mozilla Foundation's technology strategist, Mike Shaver.

LinuxPlanet: What's the technical difference between a plugin and an extension?

Mike Shaver: Typically, a "plugin" is a subset of what we consider to be "extensions" or "add-ons," and plugins usually provide the ability to view or manipulate a specific kind of content, such as a movie or document format, or even more dynamic content like Flash or Java. Plugins are typically restricted to a rectangular region of the page, and usually have limited interaction with the page and browser at large.

Extensions can cover a much wider range of functionality, not restricted to display of content types and are able to add "top-level" user interface elements or interact with the Web pages that the user is viewing.

LP: What is the limit to an extension's abilities with Firefox? To what extent can it work with programs and data outside of Firefox?

Shaver: Extensions can be very powerful indeed. We provide APIs for accessing many kinds of data and executing programs, and through the XPCOM system the extension author can add support for other kinds of interaction as they need to.

LP: Must an extension be published under a specific license? If not, does the Mozilla Foundation recommend the Mozilla Public License for extensions, or some other license? Are there any proprietary, restrictively-licensed extensions right now?

Shaver: There are no specific licensing requirements for extensions. There are a number of extensions that are licensed as traditional, proprietary software, and the MPL is designed to accommodate those developers as well as protect the interests of open source contributors.

LP: It looks like Firefox extensions are mostly JavaScript. What other languages, programming practices, and design philosophies should prospective extension developers be familiar with?

Shaver: Firefox extensions are usually written in a combination of JavaScript and/or C++, as well as the XUL markup language Firefox uses to describe its user interface. Good knowledge of XML and DOM programming is important, and most extension developers need to learn about the XPCOM object model and services at some point. The Mozilla Developer Center (http://developer.mozilla.org) is a good place to find documents on those and other important Mozilla technologies.

LP: Describe the validation process for Firefox extensions. How can end-users be certain that a Firefox extension isn't malware in disguise?

Shaver: Installing a Firefox extension is installing software, and we encourage users to be very cautious when installing software. Users should consider where they got the software from, what they know about the source of the software and the author of the software, and check what other people are saying about the software in question. Mozilla hosts a site to facilitate community review and discussion of add-ons, in order to help users make good decisions about what add-ons they want to install.

LP: Is it possible for rogue extension developers to push malicious extensions to Firefox users through malware sites in the same way that malicious ActiveX applets are pushed to Internet Explorer users? Could Firefox be hijacked through an extension, and record and report users' keystrokes, or be used as a zombie in a DDoS attack?

Shaver: Malware can take many forms, and once it is running on the user's computer, it can be used to subvert any application, from photo-editing tools and music players to browser and word-processors. Once such malware is in control of a user's system, no application can effectively defend or trust itself. This is why it's so important that vendors act quickly to fix problems that can allow attackers to plant such attacks on a victim's computer, and that users are careful about the software they install.